Terraform provider

Reference for the marboba Terraform provider. 11 resources + 7 data sources.

The official Terraform provider — somexai-applications-group/marboba — exposes every catalog primitive declaratively. Same auth contract as the REST API and the marboba CLI: a Personal Access Token (mb_pat_*).

Install

terraform {
  required_providers {
    marboba = {
      source  = "somexai-applications-group/marboba"
      version = "~> 0.1"
    }
  }
}

provider "marboba" {
  endpoint = "https://api.marboba.com" # default
  token    = var.marboba_token         # or MARBOBA_API_TOKEN env
}

Set MARBOBA_API_TOKEN and MARBOBA_ENDPOINT env vars to skip the explicit provider block.

Resources (11)

`marboba_api`

Attribute	Type	Required	Sensitive	Description
`id`	String	computed	—
`name`	String	yes	—
`description`	String	computed	—
`component_id`	String	computed	—	ID of the owning component (project), or omit if unowned.
`owner_team_id`	String	computed	—	Owning team. Falls back to the component’s owning team in lookups.
`kind`	String	computed	—	rest \| graphql \| grpc \| asyncapi \| openapi \| other. Defaults to rest.
`lifecycle`	String	computed	—	experimental \| production \| deprecated \| retired. Defaults to experimental.
`spec_url`	String	computed	—	Pointer to a hosted spec — OpenAPI JSON, .proto, schema.graphql.
`tags`	List	computed	—
`created_at`	String	computed	—
`updated_at`	String	computed	—

`marboba_dependency_edge`

Attribute	Type	Required	Sensitive	Description
`id`	String	computed	—
`from_kind`	String	yes	—	Kind of the dependent entity. One of: component, api, resource, system, domain.
`from_id`	String	yes	—	ID of the dependent entity.
`to_kind`	String	yes	—	Kind of the dependency target. One of: component, api, resource, system, domain.
`to_id`	String	yes	—	ID of the dependency target.
`type`	String	computed	—	Edge type. Default `depends_on`. Lowercase letters / digits / `_` / `-`.
`description`	String	computed	—	Free-form description of the relationship.
`created_at`	String	computed	—

`marboba_domain`

Attribute	Type	Required	Sensitive
`id`	String	computed	—
`name`	String	yes	—
`description`	String	computed	—
`owner_team_id`	String	computed	—
`tags`	List	computed	—
`created_at`	String	computed	—
`updated_at`	String	computed	—

`marboba_oncall_binding`

Attribute	Type	Required	Sensitive	Description
`id`	String	computed	—
`scope`	String	yes	—	Either `team` or `component` — what the binding targets. Immutable; changing it forces replacement.
`target_id`	String	yes	—	The team id (when scope=team) or app id (when scope=component) the binding targets. Immutable; changing it forces replacement.
`provider`	String	yes	—	On-call provider — `pagerduty`, `opsgenie`, or `manual`. Immutable; changing it forces replacement so the (scope, target_id, provider) uniqueness invariant holds.
`schedule_id`	String	computed	—	Provider-side schedule id. Required for pagerduty/opsgenie; ignored for manual. Immutable; changing it forces replacement.
`label`	String	computed	—	Human-readable label rendered on the in-app card. The only mutable field on a binding.
`currently_on_call_user_name`	String	computed	—
`currently_on_call_user_email`	String	computed	—
`currently_on_call_user_uid`	String	computed	—
`current_shift_starts_at`	String	computed	—
`current_shift_ends_at`	String	computed	—
`last_fetched_at`	String	computed	—
`last_fetch_error`	String	computed	—
`created_at`	String	computed	—
`updated_at`	String	computed	—

`marboba_project`

Attribute	Type	Required	Sensitive	Description
`id`	String	computed	—	Unique project identifier (assigned at create time).
`name`	String	yes	—	Display name. Required.
`description`	String	computed	—	Free-form summary of the project’s purpose.
`archived`	Bool	computed	—	If true, the project is hidden from default lists. Defaults to false.
`owner_team_id`	String	computed	—	ID of the team that owns this project (drives ownership graph + on-call routing).
`created_at`	String	computed	—	ISO-8601 timestamp from the server.
`updated_at`	String	computed	—	ISO-8601 timestamp from the server.

`marboba_resource`

Attribute	Type	Required	Sensitive	Description
`id`	String	computed	—
`name`	String	yes	—
`description`	String	computed	—
`component_id`	String	computed	—	ID of the owning component (project), or omit if shared.
`owner_team_id`	String	computed	—	Owning team. Falls back to the component’s owning team in lookups.
`kind`	String	computed	—	database \| queue \| bucket \| cache \| secret_store \| topic \| function \| load_balancer \| cdn \| other.
`provider`	String	computed	—	Cloud provider — aws \| gcp \| azure \| firebase \| cloudflare \| vercel \| supabase \| planetscale \| neon \| other.
`lifecycle`	String	computed	—	experimental \| production \| deprecated \| retired.
`console_url`	String	computed	—	Deep link into the cloud provider’s console for this resource.
`external_id`	String	computed	—	Provider’s ARN/URI/qualified name (S3 ARN, Pub/Sub topic, etc.).
`tags`	List	computed	—
`created_at`	String	computed	—
`updated_at`	String	computed	—

`marboba_runbook`

Attribute	Type	Required	Sensitive	Description
`id`	String	computed	—
`title`	String	yes	—
`body_md`	String	computed	—
`runbook_type`	String	yes	—	Free-form classifier — `incident_response`, `deployment`, `rollback`, `maintenance`, etc.
`linked_app_ids`	List	computed	—	Project ids this runbook applies to. Drives auto-surfacing during incidents.
`linked_incident_severities`	List	computed	—	Severities (e.g. `critical`, `high`) that auto-surface this runbook during incidents.
`tags`	List	computed	—
`pinned`	Bool	computed	—
`visibility_role_min`	String	computed	—	Minimum role required to view (defaults to `viewer`).
`generated_by_ai`	Bool	computed	—
`created_at`	String	computed	—
`updated_at`	String	computed	—

`marboba_scorecard`

Attribute	Type	Required	Sensitive	Description
`id`	String	computed	—
`name`	String	yes	—
`description`	String	computed	—
`applicable_kinds`	List	yes	—	Catalog entity kinds this scorecard applies to. One or more of: component, api, resource, system, domain.
`rules`	ListNested	yes	—
`type`	String	yes	—
`label`	String	yes	—
`description`	String	computed	—
`weight`	Int64	yes	—
`params_json`	String	no	—
`tiers`	ListNested	yes	—	Named score thresholds. Defaults to bronze=50, silver=75, gold=100 if omitted.
`min_score`	Int64	yes	—
`tags`	List	computed	—
`created_at`	String	computed	—
`updated_at`	String	computed	—

`marboba_slo`

Attribute	Type	Required	Sensitive	Description
`id`	String	computed	—
`name`	String	yes	—
`app_id`	String	yes	—	Component (project) this SLO applies to. Immutable; changing it forces replacement.
`type`	String	yes	—	One of: `availability`, `latency`, `errorRate`, `throughput`, `custom`.
`target`	Float64	yes	—	Target value. For availability/errorRate: percentage 0-100. For latency: percentile (e.g. 99 for p99). For throughput/custom: caller-defined.
`unit`	String	computed	—
`window`	String	yes	—	One of: `rolling7d`, `rolling30d`, `rolling90d`, `calendarMonth`, `calendarQuarter`.
`data_source`	String	computed	—	Where the current value is coming from (e.g. `prometheus.requests_total`). Free-form; not validated.
`current_value`	Float64	computed	—
`error_budget_total`	Float64	computed	—
`error_budget_remaining`	Float64	computed	—
`error_budget_percent_used`	Float64	computed	—
`status`	String	computed	—
`last_updated_at`	String	computed	—
`created_at`	String	computed	—
`updated_at`	String	computed	—

`marboba_system`

Attribute	Type	Required	Sensitive	Description
`id`	String	computed	—
`name`	String	yes	—
`description`	String	computed	—
`owner_team_id`	String	computed	—	Team that owns this system.
`domain_id`	String	computed	—	Parent domain id, or omit for top-level systems.
`lifecycle`	String	computed	—	experimental \| production \| deprecated \| retired.
`component_ids`	List	computed	—	Project ids that compose this system.
`api_ids`	List	computed	—	Catalog API ids that belong to this system.
`resource_ids`	List	computed	—	Catalog resource ids (DBs / queues / buckets / …) owned by this system.
`tags`	List	computed	—
`created_at`	String	computed	—
`updated_at`	String	computed	—

`marboba_team`

Attribute	Type	Required	Sensitive	Description
`id`	String	computed	—	Unique team identifier (assigned at create time).
`name`	String	yes	—	Display name. Required.
`description`	String	computed	—	Free-form summary of what the team owns.
`member_uids`	List	computed	—	User UIDs in the team. The first entry is treated as the team lead by some screens.
`created_at`	String	computed	—
`updated_at`	String	computed	—

Data sources (7)

`marboba_identity_provider`

Attribute	Type	Required	Description
`id`	String	yes	Identity provider id (the Firestore doc id, not the IdP entityID).
`name`	String	computed
`protocol`	String	computed	saml \| oidc.
`status`	String	computed	configuring \| active \| disabled \| error.
`priority`	Int64	computed	Lower = preferred when multiple IdPs match a domain.
`last_tested_at`	String	computed
`last_test_result`	String	computed	success \| failed.
`created_at`	String	computed
`updated_at`	String	computed
`saml`	SingleNested	computed	SAML 2.0 configuration. Null for OIDC providers.
`sso_url`	String	computed
`signing_cert`	String	computed	PEM-encoded IdP signing certificate.
`name_id_format`	String	computed
`sign_requests`	Bool	computed
`sp_entity_id`	String	computed	Computed MarBoba SP entity ID — give this to the IdP.
`acs_url`	String	computed	Computed assertion consumer service URL — give this to the IdP.
`oidc`	SingleNested	computed	OpenID Connect configuration. Null for SAML providers. Raw client secret never returned — only the vault keyword.
`client_id`	String	computed
`client_secret_vault_keyword`	String	computed
`discovery_url`	String	computed
`authorization_endpoint`	String	computed
`token_endpoint`	String	computed
`userinfo_endpoint`	String	computed
`jwks_uri`	String	computed
`jwks_cached_at`	String	computed
`scopes`	List	computed

`marboba_identity_providers`

Attribute	Type	Required
`providers`	ListNested	computed
`name`	String	computed
`protocol`	String	computed
`status`	String	computed
`priority`	Int64	computed
`last_tested_at`	String	computed
`last_test_result`	String	computed
`created_at`	String	computed
`updated_at`	String	computed
`saml`	SingleNested	computed
`sso_url`	String	computed
`signing_cert`	String	computed
`name_id_format`	String	computed
`sign_requests`	Bool	computed
`sp_entity_id`	String	computed
`acs_url`	String	computed
`oidc`	SingleNested	computed
`client_id`	String	computed
`client_secret_vault_keyword`	String	computed
`discovery_url`	String	computed
`authorization_endpoint`	String	computed
`token_endpoint`	String	computed
`userinfo_endpoint`	String	computed
`jwks_uri`	String	computed
`jwks_cached_at`	String	computed
`scopes`	List	computed

`marboba_project`

Attribute	Type	Required	Description
`id`	String	yes	Project id.
`name`	String	computed
`description`	String	computed
`archived`	Bool	computed
`owner_team_id`	String	computed
`created_at`	String	computed
`updated_at`	String	computed

`marboba_sso_domains`

Attribute	Type	Required	Description
`domains`	ListNested	computed
`normalized_domain`	String	computed
`identity_provider_id`	String	computed
`verification_status`	String	computed	pending \| verified \| failed \| expired \| conflict.
`verification_method`	String	computed	dns_txt \| dns_cname \| http_meta \| email_link.
`enforcement_override`	String	computed	inherit \| disabled \| optional \| required.
`verified_at`	String	computed
`added_at`	String	computed

`marboba_sso_settings`

Attribute	Type	Required	Description
`enforcement_mode`	String	computed	disabled \| optional \| required_verified \| required_all.
`allow_password_fallback`	Bool	computed
`break_glass_uids_count`	Int64	computed	Count only; the full UID list is not exposed via /v1.
`default_identity_provider_id`	String	computed
`force_jit_provisioning`	Bool	computed
`password_session_grace_period_minutes`	Int64	computed	Grace period after enforcement is changed. 0 = revoke immediately.
`updated_at`	String	computed

`marboba_team`

Attribute	Type	Required	Description
`id`	String	yes	Team id.
`name`	String	computed
`description`	String	computed
`member_uids`	List	computed
`created_at`	String	computed
`updated_at`	String	computed

`marboba_user`

Attribute	Type	Required	Description
`id`	String	yes	Firebase Auth uid.
`email`	String	computed
`display_name`	String	computed
`role`	String	computed
`is_active`	Bool	computed
`avatar_key`	String	computed
`avatar_bg_color`	String	computed
`avatar_font_color`	String	computed
`team_ids`	List	computed	Ids of every team this user belongs to.
`last_login_at`	String	computed
`created_at`	String	computed
`updated_at`	String	computed

Install

Resources (11)

marboba_api

marboba_dependency_edge

marboba_domain

marboba_oncall_binding

marboba_project

marboba_resource

marboba_runbook

marboba_scorecard

marboba_slo

marboba_system

marboba_team

Data sources (7)

marboba_identity_provider

marboba_identity_providers

marboba_project

marboba_sso_domains

marboba_sso_settings

marboba_team

marboba_user

See also

`marboba_api`

`marboba_dependency_edge`

`marboba_domain`

`marboba_oncall_binding`

`marboba_project`

`marboba_resource`

`marboba_runbook`

`marboba_scorecard`

`marboba_slo`

`marboba_system`

`marboba_team`

`marboba_identity_provider`

`marboba_identity_providers`

`marboba_project`

`marboba_sso_domains`

`marboba_sso_settings`

`marboba_team`

`marboba_user`